Re: [exim] Authenticated User Ratelimiting

Top Page
Delete this message
Reply to this message
Author: Grant Peel
Date:  
To: 'Chris Wilson'
CC: exim-users
Subject: Re: [exim] Authenticated User Ratelimiting
> -----Original Message-----
> From: Chris Wilson [mailto:chris+exim@qwirx.com]
> Sent: October-21-13 9:06 AM
> To: Grant Peel
> Cc: exim-users@???
> Subject: Re: [exim] Authenticated User Ratelimiting
>
> Hi Grant,
>
> On Mon, 21 Oct 2013, Grant Peel wrote:
>
> > Recent events have left us wanting to add rate limiting to our exim
> > configuration.
> >
> > I have seen several examples in various places on the web and
> > everything I can find in the exim specification, and I must say I am a
> > little more than confused.
> >
> > All I really want to do is ratelimit everyone (locally authenticated)
> > to 250/hour ? as a start anyways.
>
> This is what I use:
>
> acl_smtp_auth = acl_check_auth
>
> ...
>
> begin acl
>
> ...
>
> acl_check_auth:
>
>          defer
>                  ! hosts = 217.155.111.88/29 : 82.68.244.64/29
>                  ratelimit = 30 / 1h / strict / $sender_host_address
>                  # delay = 30s
>                  message = Too many auth attempts, slow down
>                  log_message = Sender $sender_host_address AUTH rate \
>                          $sender_rate/$sender_rate_period exceeds limit \
>              ($sender_rate_limit)

>
> So in your case, you probably want "ratelimit = 250 / 1h / strict /

global" to use
> the same key (the word "global") for all IP addresses.
>
> Note that this will allow a remote host to deny service to your users by

making
> a large number of auth attempts, and the failure mode is very public as

users'
> clients will show an error message when they try to authenticate. So

probably
> you really want "/ $sender_host_address" instead of "/ global". You

probably
> also want to except known IP addresses from this "defer" statement, to

keep
> your customers/users happy.
>
> You may want to trial this with "warn" instead of "defer" as the verb, so

that
> you'll see messages in the logs if users exceed it. Combined with "delay =

5s"
> you will actually succeed in slowing down cracking attempts a lot, without

ever
> failing an auth request.
>
> So I recommend you start with something like this:
>
>          warn
>                  ! hosts = 217.155.111.88/29 : 82.68.244.64/29
>                  ratelimit = 30 / 1h / strict / $sender_host_address
>                  delay = 5s
>                  # message = Too many auth attempts, slow down
>                  log_message = Sender $sender_host_address AUTH rate \
>                          $sender_rate/$sender_rate_period exceeds limit \
>                          ($sender_rate_limit)

>
> Cheers, Chris.
> --
> _____ __     _
> \  __/ / ,__(_)_  | Chris Wilson <chris+sig@???> Cambs UK | / (_/

,\/ _/
> /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \__/_/_/_//_/___/ |

We
> are GNU : free your mind & your software |


Hi Chris,

Thanks for the expedient reply, much appreciated.

Two (quick?) questions:

1) My config seems to me to be quite complex and as such I don't want to
break it, where in the ACL_CHECK_AUTH list should I place the paragraph? I
am guessing right at the start....

2) Is the Auth 'per authenticated user' per IP address? i.e. I don't want to
block a specific IP for all users due to 1 users overage ... hope I worded
that question correctly.

Regards,

-G